With more APIs in circulation than ever before, there has been a direct correlation to the number of API abuses reported across industries. This is because APIs are such a valuable asset to bad actors, but many organizations have not yet woken up to the realities of the need to protect their APIs from abuse. If you couple that with the fact that attacks on APIs have become more sophisticated, with some attackers even using AI themselves, then you can see why even some of the more security-conscious organizations can have trouble properly securing their APIs.
A robust API Security posture can be broken down into several areas including:
Proper design and coding during the development process
API governance and compliance through visibility of all your APIs (shadow too!) and a mapping of how they connect to each other.
General application and API protection from tools such as API gateways, WAFs, NG-WAF, and RASPS
An always-updating understanding of your user behaviors regarding your APIs.
You won’t have comprehensive API security without solutions in each of these areas.
We will also discuss:
The roles of API developers, infosec, support, and enterprise architects as it relates to API security
Microservices role in making it difficult to secure your APIs
The importance of inventorying your APIs
How technologies like Traceable can help protect your APIs against advanced attacks
Key takeaways:
Why your API's are a key attack surface for modern bad actors
Why APi's are so much harder to secure than traditional web traffic
What's necessary to secure your APIs
Why yesterday's solutions can't solve today's new API security challenges
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
API Security - Everything You Need to Know To Protect Your APIs
1. API Security
Everything You Need to Know to Protect Your APIs
Mar 17, 2021
Visibility • Protection • Resolution
Doc ver: 2021-03-04-01
Aaron Lieberman
Big Compass
Cloud Practice Manager and Architect
Dan Gordon
Traceable AI
Dir, Technical Evangelism
2. https://traceable.ai
1. API landscape
2. Microservices role in API security
3. The difficult task of protecting APIs
4. How visibility relates to API security
5. Business roles
6. Layered API security
7. Traceable Defense AI
8. Q&A
Agenda
Based on Aaron’s new e-book
The Practical Guide to API Security:
3. ● MuleSoft, AWS, Confluent, Salesforce, and
Boomi partners
● Consulting - specializing in integrations,
related technologies, API development, and
API security
● We build connections between systems,
applications, people, and ideas
Introductions
● Cloud Practice Manager and
Architect at Big Compass
● API security practitioner
● API enthusiast, developer,
designer, and owner
● Denver MuleSoft Meetup Leader
and Presenter
● All Things Integration Meetup
Leader and Presenter
● Speaker, blogger, writer
Aaron Lieberman
8. Current API
Threats
Landscape
10 - 55 Attacks
Per Month
51 - 200 Attacks
Per Month
Experienced API
Security Incident
Last Year
56% 22% 91%
Cyber Attack Report
9. API Attacks
Affect
Everyone “50 million Facebook accounts breached by
access-token-harvesting attack”
“T-Mobile Alerts 2.3 Million
Customers of Data Breach Tied to
Leaky API”
“US Postal Service Exposes 60 Million Users
in API Snafu”
11. ● Massive growth in APIs
● Organizations commonly deploy APIs without
documenting
● Inventory management of APIs is crucial
API Evolution
12. ● An API inventory is crucial to protecting your APIs
● You can’t protect what you don’t know about!
● Inventory is the first step in protecting your APIs
API
Protection
16. Traceability
Is Key
● APIs are decoupled from orchestration and business logic
● More microservices mean greater need to track
communication across all distributed services to detect
abnormal behavior
● Not just monitoring 1 system, you are monitoring many
distributed microservices
18. API Attack Detection Data
Average Cost of Data
Breach
Time to Identify and Contain
a Breach
Average Records Stolen in
Data Breach
$3.92M 279 days 25,575
19. ● API breaches can take months or years to detect
● High volume of traffic across many APIs
● High velocity connections
● Diverse traffic running through many APIs
● API ownership is not always clear
● Advanced API attacks reduce effectiveness of
traditional API security measures
API Attack
Detection
20. Advanced
API Attacks
● OWASP API Top 10 identifies known attacks
● Hackers launch advanced attacks using ML/AI
● Advanced attacks are unpredictable
26. ● Protects against brute force attacks and other
simple attacks
● Gateway security measures
○ OAuth 2.0
○ Rate limiting
○ IP whitelisting
○ Client ID enforcement
○ JWT
○ SAML
First Line of
Defense - API
Gateway
Security
27. ● Protects against some of the OWASP Top 10 Attacks
● Entry point to API Gateway and backend services
and detects attacks such as
○ SQL injection
○ Cross site scripting
○ DDoS
Second Line of
Defense -
WAF/RASP
28. ● Last line of defense that models the behavior of your
API
● Can detect deviations from normal behavior
● Protects against advanced attacks from
○ Stolen tokens
○ Insider threats
○ Stolen credentials
○ Authenticated access
Third Line of
Defense -
ML/AI
30. Traceable Defense AI
Hypertrace
Distributed Tracing
Trace AI Platform
Unsupervised Machine Learning
Defense AI
30
Real-time complete
service, API, & data
visibility
Visibility
(WAF+RASP+API)++
AI first, no rules
required, low false
positives
Protection
Per transaction
contextual data for
Dev, Sec, and Ops
Resolution
31. 31
● Complete
visualization of
your apps
● Understands
interactions between
your services
● Understands flow of
traffic between
services
● Understands who’s
using your services
● Understands data
flow between
services
Visibility - Complete app security discovery & observability
32. Visibility - Real-time API Discovery & Risk Scoring
32
● Discovers
external and
internal API
usage in
real-time
● Continuous API
endpoint risk
scoring based
on API
Intelligence
● Understands &
models API
behavior
● No more shadow
API’s
33. Protection - AI First Detection, No Rules Required
● Beyond WAFs & RASPS
- no rules required,
low false positives
● Protects against
OWASP & OWASP API
top 10 threat lists
● User focused threat
activity timelines
● Evolve defenses to
match continuously
changing threats and
application
architectures
33
34. 34
● Understands user
behavior
● Detects & blocks
anomalous user
behavior
● Prevents fraud
attacks
● Stops data
breaches
Protection - Block sophisticated business logic attacks
35. 35
● Per transaction
explorable data lake
for forensics and
troubleshooting
● Increase resolution
velocity due to
shared visibility
● Closely align SecOps
and Dev teams
● Help developers to
understand API
security risks
Resolution - Contextual Data for Dev, Sec and Ops